Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    119s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2024, 10:14

General

  • Target

    a4045703e0b9a134174c1c1ced434530N.exe

  • Size

    77KB

  • MD5

    a4045703e0b9a134174c1c1ced434530

  • SHA1

    a80562871a961cb6756c570e9fc5850cf6a61ca2

  • SHA256

    a1573a07561f46923c863dc86574c95d198f114baeae431a59b35d1185d26798

  • SHA512

    05c5afa696d01cb1f93b45f4ddd583b3e51366d4fb33505b243280c030ae46dcf637b38a34564ab1a9294c02d07422b98b09dd31095bef0fb83a053f3c2f3dfc

  • SSDEEP

    1536:ekeK40T/mx7y9v7Z/Z2V/GSAFRfBhpVoK0:FD40Dmx7y9DZ/Z2hGVkK0

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 8 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 29 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.exe
    "C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • Checks computer location settings
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\recycled\SVCHOST.EXE
      C:\recycled\SVCHOST.EXE :agent
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\recycled\SVCHOST.EXE
        C:\recycled\SVCHOST.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:920
      • F:\recycled\SVCHOST.EXE
        F:\recycled\SVCHOST.EXE :agent
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3084
        • C:\recycled\SVCHOST.EXE
          C:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1628
        • F:\recycled\SVCHOST.EXE
          F:\recycled\SVCHOST.EXE :agent
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2444
        • C:\recycled\SPOOLSV.EXE
          C:\recycled\SPOOLSV.EXE :agent
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2096
          • C:\recycled\SVCHOST.EXE
            C:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4660
          • F:\recycled\SVCHOST.EXE
            F:\recycled\SVCHOST.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4540
          • C:\recycled\SPOOLSV.EXE
            C:\recycled\SPOOLSV.EXE :agent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4508
      • C:\recycled\SPOOLSV.EXE
        C:\recycled\SPOOLSV.EXE :agent
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4256
      • C:\Windows\SysWOW64\userinit.exe
        C:\Windows\system32\userinit.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3328
        • C:\Windows\SysWOW64\Explorer.exe
          Explorer.exe "C:\recycled\SVCHOST.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3592
    • F:\recycled\SVCHOST.EXE
      F:\recycled\SVCHOST.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4208
    • C:\recycled\SPOOLSV.EXE
      C:\recycled\SPOOLSV.EXE :agent
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3844
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a4045703e0b9a134174c1c1ced434530N.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3312
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
    1⤵
      PID:4592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Recycled\SPOOLSV.EXE

      Filesize

      77KB

      MD5

      67ceb7e39edea04e82bfc6d93da87a7a

      SHA1

      4533753acc1efc6869133590386c4766581c9dad

      SHA256

      7b73ddd698d25a4fb9c894e6f81078bf1ea8d7114137174a07594c7ff9e5a995

      SHA512

      7f81b5cd41c02f2fbb4412e655bb6873df877e3419938e40d66b21acd111b440800040105f8ac283b3b94ece4b3be9b009a17121d9397554dfe57990d4263f12

    • C:\Recycled\SVCHOST.EXE

      Filesize

      77KB

      MD5

      af46ea7aa5188b72ed5c1becb73a7ce1

      SHA1

      266ebce9bebcba7aa4979c550a27002f532eb26e

      SHA256

      8349579280e245e66513b8b86628e755b95d78859ecf6ffb34edeeb799084da2

      SHA512

      91ad4a82c89dd0738d7ea2eb8957e4cfd99b86be220e01c9b3ca385aac146c86511f761d9d2b0475590f9d521e7e3fce57685a229118473b80e71e49fd7b96a4

    • C:\Recycled\desktop.ini

      Filesize

      65B

      MD5

      ad0b0b4416f06af436328a3c12dc491b

      SHA1

      743c7ad130780de78ccbf75aa6f84298720ad3fa

      SHA256

      23521de51ca1db2bc7b18e41de7693542235284667bf85f6c31902547a947416

      SHA512

      884cd0cae3b31a594f387dae94fc1e0aacb4fd833f8a3368bdec7de0f9f3dc44337c7318895d9549aad579f95de71ff45e1618e75065a04c7894ad1d0d0eac56

    • C:\Users\Admin\AppData\Local\Temp\Flu Burung.txt

      Filesize

      1KB

      MD5

      0269b6347e473980c5378044ac67aa1f

      SHA1

      c3334de50e320ad8bce8398acff95c363d039245

      SHA256

      68f5bd85c17975419bb4eacf615286d749bcb951e487813361837580b39ffee2

      SHA512

      e5c525fe688ecd3926ae634a61dc48c4837d7e56aae00b22e4f7d824df804cb536f6df077d5f6c67f63f73832ba00249ed3a75ed40ec9db6e026041b28404d7b

    • C:\Users\Admin\AppData\Local\Temp\TCD5AC.tmp\gb.xsl

      Filesize

      262KB

      MD5

      51d32ee5bc7ab811041f799652d26e04

      SHA1

      412193006aa3ef19e0a57e16acf86b830993024a

      SHA256

      6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

      SHA512

      5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      2KB

      MD5

      3fd06adbf5a8ec69b1a13f43897c9676

      SHA1

      c75f4df8db6fceaf393841088b59d2861a413347

      SHA256

      2cf2cf35c741af3ac22816355fb1868c83636ed1f14d4a29ff2c0a087e112aa0

      SHA512

      3a7d6142a03ab824d332a1d9f60e6998c6ec8fdd8a3eeb63789f866f8a7022633583b1a35957bdd4646fff031978114ef0aa23a3849e497522b560ae1c96eb05

    • C:\begolu.txt

      Filesize

      2B

      MD5

      2b9d4fa85c8e82132bde46b143040142

      SHA1

      a02431cf7c501a5b368c91e41283419d8fa9fb03

      SHA256

      4658d6abbbaf7748c172ed5a3e003cdb8997648f88724834e41f75e54520e142

      SHA512

      c37f27b442d578e94db6e5d879d026b0b3457f42b99ec56a9cb6fca3161540a32e207b942ef2ddb7be01fa9245ba4d8c859978a0f9a498c1ad8aa46d0890e6be

    • F:\Recycled\SVCHOST.EXE

      Filesize

      77KB

      MD5

      7f45679ac099db366907493c01f85d61

      SHA1

      5da82af44292bb4376fe7c3b6f1c8878e5759bf8

      SHA256

      0c222d36a99c76dd72371f876a41a75d9c9b5284f77be8b64b1d90cd2c5830e2

      SHA512

      5d5a4806d54b2ad4e31634174cd2209ae2a4cf21e23a11013ad1dff60079c0c29e198136c2562d19471ea0f315549bdc4ab9245ddce41198c80e870a76f27ad9

    • memory/920-26-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1628-37-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/1628-40-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2096-46-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/2444-45-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3084-31-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3312-80-0x00007FFD31310000-0x00007FFD31320000-memory.dmp

      Filesize

      64KB

    • memory/3312-85-0x00007FFD2EBF0000-0x00007FFD2EC00000-memory.dmp

      Filesize

      64KB

    • memory/3312-86-0x00007FFD2EBF0000-0x00007FFD2EC00000-memory.dmp

      Filesize

      64KB

    • memory/3312-84-0x00007FFD31310000-0x00007FFD31320000-memory.dmp

      Filesize

      64KB

    • memory/3312-83-0x00007FFD31310000-0x00007FFD31320000-memory.dmp

      Filesize

      64KB

    • memory/3312-82-0x00007FFD31310000-0x00007FFD31320000-memory.dmp

      Filesize

      64KB

    • memory/3312-81-0x00007FFD31310000-0x00007FFD31320000-memory.dmp

      Filesize

      64KB

    • memory/3376-79-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3376-0-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3844-77-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/3844-73-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4072-17-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4208-75-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4256-68-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4508-64-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4540-61-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4540-57-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB

    • memory/4660-56-0x0000000000400000-0x000000000041A000-memory.dmp

      Filesize

      104KB